Mozilla Security Bloghttps://blog.mozilla.org/security
Wed, 15 Jul 2015 19:18:14 +0000en-UShourly1http://wordpress.org/?v=4.2.3Mozilla Winter of Security is back!https://blog.mozilla.org/security/2015/07/15/mozilla-winter-of-security-is-back/
https://blog.mozilla.org/security/2015/07/15/mozilla-winter-of-security-is-back/#commentsWed, 15 Jul 2015 19:18:14 +0000https://blog.mozilla.org/security/?p=2001Continue reading]]>Last year, we introduced the Mozilla Winter of Security (MWoS) to invite students to work on security projects with members of Mozilla’s security teams. Ten projects were proposed, and dozens of teams applied. A winter later, MWoS 2014 gave birth to exciting new technologies such as the SeaSponge Threat Modeling platform, the Masche memory scanning Go library, a Linux Audit plugin written in Go for integration in Heka, and a TLS Observatory.

The first edition of MWoS was a success, and a lot of fun for students and mentors, so we decided to run it again this year. For the 2015 edition, we are proposing six projects that directly contribute to our most impactful security tools. Students will be able to work on digital forensics with MIG, SSL/TLS configurations with Menagerie, certificate management with LetsEncrypt, security visualization with MozDef, and web security scanning with OWASP ZAP.

The feedback from last year taught us that students work better when their mentors are more available to support them. But time is a scarce resource, and mentors can be hard to reach. This year we decided to reduce the number of projects and give each project two mentors: a primary and a secondary. Mentors also have a maximum of one project as primary, which will help dedicate more attention to the students. Our goal is to provide as much support as we can and help the teams succeed.

For students the requirements are unchanged: teams must be engaged in a university program and their professor must agree to give them credits for their MWoS project. Based on last year’s feedback, this formula works very well to ensure students have the time and motivation to work on their project.

Applications open today and will close on August 15th, in just one month! If you are a professor, tell your students about MWoS today. If you are a student, start assembling your team, and fill up the application form before August 15th. We will take about two weeks after the applications close to contact the teams and let them know if they have been selected.

Questions about the MWoS program or the projects can be directed to the mentors directly by email or on the #security IRC channel.

As soon as a developer at Mozilla starts integrating a new WebAPI feature, the Mozilla Security team begins working to help secure that API. Subtle programming mistakes in new code can introduce annoying crashes and even serious security vulnerabilities that can be triggered by malformed input which can lead to headaches for the user and security exposure.

WebAPIs start life as a specification in the form of an Interface Description Language, or IDL. Since this is essentially a grammar, a grammar-based fuzzer becomes a valuable tool in finding security issues in new WebAPIs because it ensures that expected semantics are followed most of the time, while still exploring enough undefined behavior to produce interesting results.

We came across a grammar fuzzer Ben Hawkes released in 2011 called “Dharma.” Sadly, only one version was ever made public. We liked Ben’s approach, but Dharma was missing some features which were important for us and its wider use for API fuzzing. We decided to sit down with our fuzzing mates at BlackBerry and rebuild Dharma, giving the results back to the public, open source and licensed as MPL v2.

We redesigned how Dharma parses grammars and optimized the speed of parsing and the generating of fuzzed output, added new grammar features to the grammar specification, added support for serving testcases over a WebSocket server, and made it Python 3 ready. It comes with no dependencies and runs out of the box.

In theory Dharma can be used with any data that can be represented as a grammar. At Mozilla we typically use it for APIs like WebRTC, WebAudio, or WebCrypto.

Dharma has no integrated harness. Feel free to check out the Quokka project which provides an easy way for launching a target with Dharma, monitoring the process and bucketing any faults.

Dharma is actively in use and maintained at Mozilla and more features are planned for the future. Ideas for improvements are always greatly welcomed.

]]>https://blog.mozilla.org/security/2015/06/29/dharma/feed/0Changes to the Firefox Bug Bounty Programhttps://blog.mozilla.org/security/2015/06/09/upcoming-changes-to-the-firefox-bug-bounty-program/
https://blog.mozilla.org/security/2015/06/09/upcoming-changes-to-the-firefox-bug-bounty-program/#commentsTue, 09 Jun 2015 18:53:32 +0000https://blog.mozilla.org/security/?p=1984Continue reading]]>The Bug Bounty Program is an important part of security here at Mozilla. This program has paid out close to 1.6 million dollars to date and we are very happy with the success of it. We have a great community of researchers who have really contributed to the security of Firefox and our other products.

Those of us on the Bug Bounty Committee did an evaluation of the Firefox bug bounty program as it stands and decided it was time for a change.

First, we looked at how much we award for a vulnerability. The amount awarded was increased to $3000 five years ago and it is definitely time for this to be increased again. We have dramatically increased the amount of money that a vulnerability is worth. On top of that, we took a look at how we decided how much we should pay out. Rather than just one amount that can be awarded, we are moving to a variable payout based on the quality of the bug report, the severity of the bug, and how clearly the vulnerability can be exploited.

Finally, we looked into how we decide what vulnerability is worth a bounty award. Historically we would award $3000 for vulnerabilities rated Critical and High. Issues would come up where a vulnerability was interesting but was ultimately rated as Moderate. From now on, we will officially be paying out on Moderate rated vulnerabilities. The amount that is paid out will be determined by the committee, but the general range is $500 to $2000. This doesn’t mean that all Moderate vulnerabilities will be awarded a bounty but some will.

Another exciting announcement to make is the official release of our Firefox Security Bug Bounty Hall of Fame! This page has been up for a while but we haven’t announced it until now. This is a great place to find your name if you are a researcher who has found a vulnerability or if you want to see all the people who have helped make Firefox so secure.

We will be making a Web and Services Bug Bounty Hall of Fame page very soon. Keep an eye out for that!

]]>https://blog.mozilla.org/security/2015/06/09/upcoming-changes-to-the-firefox-bug-bounty-program/feed/0MozDef: The Mozilla Defense Platform v1.9https://blog.mozilla.org/security/2015/05/20/mozdef-the-mozilla-defense-platform-v1-9/
https://blog.mozilla.org/security/2015/05/20/mozdef-the-mozilla-defense-platform-v1-9/#commentsWed, 20 May 2015 22:26:22 +0000https://blog.mozilla.org/security/?p=1979Continue reading]]>At Mozilla we’ve been using The Mozilla Defense Platform (lovingly referred to as MozDef) for almost two years now and we are happy to release v1.9. If you are unfamiliar, MozDef is a Security Information and Event Management (SIEM) overlay for ElasticSearch.

MozDef aims to bring real-time incident response and investigation to the defensive tool kits of security operations groups in the same way that Metasploit, LAIR and Armitage have revolutionized the capabilities of attackers.

We use MozDef to ingest security events, alert us to security issues, investigate suspicious activities, handle security incidents and to visualize and categorize threat actors. The real-time capabilities allow our security personnel all over the world to work collaboratively even though we may not sit in the same room together and see changes as they occur. The integration plugins allow us to have the system automatically respond to attacks in a preplanned fashion to mitigate threats as they occur.

Feel free to take it for a spin on the demo site. You can login by creating any test email/password combination you like. The demo site is rebuilt occasionally so don’t expect anything you put there to live for more than a couple days but feel free to test it out.

]]>https://blog.mozilla.org/security/2015/05/20/mozdef-the-mozilla-defense-platform-v1-9/feed/1May 2015 CA Communicationhttps://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/
https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/#commentsTue, 12 May 2015 19:13:56 +0000https://blog.mozilla.org/security/?p=1974Continue reading]]>Mozilla has sent a Communication to the Certification Authorities (CAs) who have root certificates included in Mozilla’s program. Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of applications.

The full action items can be read here. Responses to the survey will be collated using Salesforce and the answers published in June.

With this CA Communication, we re-iterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.

There’s pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web. There are two broad elements of this plan:

Setting a date after which all new features will be available only to secure websites

Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”. For example, one definition of “new” could be “features that cannot be polyfilled”. That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.

The second element of the plan will need to be driven by trade-offs between security and web compatibility. Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites. For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. There have also been some proposals to limit the scope of non-secure cookies.

It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community. We expect to be making some proposals to the W3C WebAppSec Working Group soon.

Thanks to the many people who participated in the mailing list discussion of this proposal. Let’s get the web secured!

Richard Barnes, Firefox Security Lead

Update (2015-05-01): Since there are some common threads in the comments, we’ve put together a FAQ document with thoughts on free certificates, self-signed certificates, and more.

The integrity of the secure Web depends on CAs issuing certificates that correctly attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product. Inclusion of a CA certificate in Mozilla products involves a rigorous process and evaluation of the CA’s public-facing policy documentation and audit statements, in order to verify that the CA conforms to the criteria required by Mozilla’s CA Certificate Inclusion Policy.

The CA certificates included in the Mozilla list can be marked as trusted for various purposes, so that the software can use the CA certificates to verify certificates for (1) SSL/TLS servers, (2) S/MIME email users, and/or (3) digitally-signed code objects, without having to ask users for further permission or information. When a CA certificate is trusted for verifying certificates for SSL/TLS servers, Mozilla’s CA Certificate Inclusion Policy requires CAs to annually provide public-facing attestation from an independent party stating that they have audited the CA using one of the following two sets of criteria:

Despite many requests for E-Guven to provide current public-facing audit statements that meet the requirements of Mozilla’s CA Certificate Inclusion Policy, the audit statement that Mozilla has for E-Guven indicates that the last supervision of E-Guven was held in 2013 and was not performed according to either of the above sets of criteria. Therefore, discussion about this CA was held in the mozilla.dev.security.policy forum, and the consensus was that E-Guven’s root certificate should be removed.

As always, we recommend that all users upgrade to the latest version of Firefox. This particular change will be in Firefox 38 and future releases of Firefox.

Mozilla Security Team

]]>https://blog.mozilla.org/security/2015/04/27/removing-e-guven-ca-certificate/feed/3Distrusting New CNNIC Certificateshttps://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/
https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/#commentsThu, 02 Apr 2015 17:36:59 +0000https://blog.mozilla.org/security/?p=1951Continue reading]]>Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

]]>https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/feed/96Introducing Project Seasponge: Quick and Easy Threat Modelinghttps://blog.mozilla.org/security/2015/04/02/introducing-project-seasponge-quick-and-easy-threat-modeling/
https://blog.mozilla.org/security/2015/04/02/introducing-project-seasponge-quick-and-easy-threat-modeling/#commentsThu, 02 Apr 2015 16:09:17 +0000https://blog.mozilla.org/security/?p=1945Continue reading]]>Threat modeling is a crucial but often neglected part of developing, implementing and operating any system. If you have no mental model of a system or its strengths and weaknesses it is extremely difficult to secure it correctly.

In an effort to help make threat modeling easier a Mozilla Winter of Security (MWOS) team has developed Seasponge, a browser-based graphical threat modeling tool. Written specifically for the browser environment, the tool requires no special addons or plugins and allows one to quickly and easily diagram a system and its data flows and begin the important work of focusing on threats.

A demo is worth a thousand meetings and the team of Joel Kuntz, Sarah MacDonald, Glavin Wiechert, Mathew Kallada and professor Dr. Pawan Lingras from Saint Mary’s University in Halifax, Nova Scotia has been generous enough to put together a video explaining the project along with a quick demo:

The code for the project is available on github. A working client is continually posted here for you to try out. Have a look at it and if you spot a bug, or see a feature you’d like please contribute by filing a github issue or even better, by sending a pull request!

]]>https://blog.mozilla.org/security/2015/04/02/introducing-project-seasponge-quick-and-easy-threat-modeling/feed/2Revoking Trust in one CNNIC Intermediate Certificatehttps://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/
https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/#commentsMon, 23 Mar 2015 22:23:59 +0000https://blog.mozilla.org/security/?p=1930Continue reading]]>Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.